diff options
Diffstat (limited to 'doc/wiki/Design.AuthProtocol.txt')
-rw-r--r-- | doc/wiki/Design.AuthProtocol.txt | 251 |
1 files changed, 251 insertions, 0 deletions
diff --git a/doc/wiki/Design.AuthProtocol.txt b/doc/wiki/Design.AuthProtocol.txt new file mode 100644 index 0000000..14ab2e6 --- /dev/null +++ b/doc/wiki/Design.AuthProtocol.txt @@ -0,0 +1,251 @@ +Dovecot Authentication Protocol v1.1 +==================================== + +General +------- + +This is a line based protocol. Each line is a command which ends with an LF +character. The maximum line length isn't defined, but it's currently expected +to fit into 8192 bytes. Authentication mechanism specific data transfers are +the largest single parameters. + +Each command is in format: + +---%<------------------------------------------------------------------------- +<command name> TAB <parameters separated with TAB> +---%<------------------------------------------------------------------------- + +Parameters are split into required and optional parameters. Required parameters +aren't in any specific format, but optional parameters are either booleans +without a value, or a name=value pair. If optional parameter name is unknown, +the parameter should just be ignored. + +Typical command looks like (without spaces): + +---%<------------------------------------------------------------------------- +command TAB param1 TAB param2 TAB optname=value TAB optboolean +---%<------------------------------------------------------------------------- + +There is no way to have TABs or LFs in parameters. + +Client <-> Server +----------------- + +Client is an untrusted authentication client process. It can serve one or more +users, so from user's point of view it's usually eg. IMAP or SMTP server +process. + +Server is an authentication server process. + +The connection starts by both client and server sending handshakes: + +---%<------------------------------------------------------------------------- +C: "VERSION" TAB <major> TAB <minor> +C: "CPID" TAB <pid> +S: "VERSION" TAB <major> TAB <minor> +S: "SPID" TAB <pid> +S: "CUID" TAB <pid> +S: "COOKIE" TAB <cookie> +S: "MECH" TAB <name> [TAB <parameters>] (multiple times) +S: "DONE" +---%<------------------------------------------------------------------------- + +Both client and server should check that they support the same major version +number. If they don't, the other side isn't expected to be talking the same +protocol and should be disconnected. Minor version can be ignored. This +document is version number 1.1. + + * CPID and SPID specify client and server Process Identifiers (PIDs). They + should be unique identifiers for the specific process. UNIX process IDs are + good choices. + * CUID is a server process-specific unique connection identifier. It's + different each time a connection is established for the server. + * CPID is used by master's REQUEST command. + * SPID can be used by authentication client to tell master which server + process handled the authentication. + * CUID is currently useful only for APOP authentication. + * COOKIE returns connection-specific 128 bit cookie in hex. It must be given + to REQUEST command. (Protocol v1.1+ / Dovecot v2.0+) + * DONE finishes the handshake from server. CPID finishes the handshake from + client. + +Authentication Mechanisms +------------------------- + +MECH command announces an available authentication SASL mechanism. Mechanisms +may have parameters giving some details about them: + +anonymous: + Anonymous authentication + +plaintext: + Transfers plaintext passwords + +dictionary: + Subject to passive (dictionary) attack + +active: + Subject to active (non-dictionary) attack + +forward-secrecy: + Provides forward secrecy between sessions + +mutual-auth: + Provides mutual authentication + +private: + Don't advertise this as available SASL mechanism (eg. APOP) + +Authentication Request +---------------------- + +---%<------------------------------------------------------------------------- +C: "AUTH" TAB <id> TAB <mechanism> TAB service=<service> [TAB <parameters>] +S1: "FAIL" TAB <id> [TAB <parameters>] +S2: "CONT" TAB <id> TAB <base64 data> +S3: "OK" TAB <id> [TAB <parameters>] +---%<------------------------------------------------------------------------- + +ID is a connection-specific unique request identifier. It must be a 32bit +number, so typically you'd just increment it by one. + +Service is the service requesting authentication, eg. POP3, IMAP, SMTP. + +AUTH and USER (see below) common parameters are: + +lip=<ip>: + Local IP - in standard string format, + +rip=<ip>: + Remote IP - ie. for IPv4 127.0.0.1 and for IPv6 ::1 + +lport=<port>: + Local port + +rport=<port>: + Remote port + +AUTH-only parameters are: + +secured: + Remote user has secured transport to auth client] (e.g. localhost, SSL, TLS) + +valid-client-cert: + Remote user has presented a valid SSL certificate. + +no-penalty: + Ignore auth penalty tracking for this request + +cert_username: + Username taken from client's SSL certificate. + +resp=<base64>: + Initial response for authentication mechanism. NOTE: This must be the last + parameter. Everything after it is ignored. This is to avoid accidental + security holes if user-given data is directly put to base64 string without + filtering out tabs. + +FAIL parameters may contain: + +reason=<str>: + <str> should be sent to remote user instead of the standard "Authentication + failed" messages. For example "invalid base64 data". It must NOT be used to + give exact reason for authentication failure (i.e. "user not found" vs. + "password mismatch"). + +code=temp_fail (v2.3+), temp (<v2.2): + This is a temporary internal failure, e.g. connection was lost to SQL + database. + +code=authz_fail (v2.3+), authz (v1.2..v2.2): + Authentication succeeded, but authorization failed (master user's password + was ok, but destination user was not ok). + +code=user_disabled (v2.3+), user_disabled (v2.2): + User is disabled (password may or may not have been correct) + +code=pass_expired (v2.3+), pass_expired (v2.2): + User's password has expired. + +A CONT response means that the authentication continues, and more data is +expected from client to finish the authentication. Given base64 data should be +sent to client. The client may continue the process issuing + +---%<------------------------------------------------------------------------- +C: "CONT" TAB <id> TAB <base64 data> +---%<------------------------------------------------------------------------- + +The <id> must match the <id> of the AUTH command. + +FAIL and OK may contain multiple unspecified parameters which authentication +client may handle specially. The only one specified here is "user=<userid>" +parameter, which should always be sent if the userid is known. + +Server <-> Master +----------------- + +Master is a trusted process which may query results of previous client +authentication or information about a specific user. Master is optional and in +SMTP AUTH case it's not needed. + +The connection starts by both server and master sending handshakes: + +---%<------------------------------------------------------------------------- +S: "VERSION" TAB <major> TAB <minor> +S: "SPID" TAB <pid> +M: "VERSION" TAB <major> TAB <minor> +---%<------------------------------------------------------------------------- + +Auth with client <-> server, both should check that the version numbers are +valid. + +SPID can be used to let master identify the server process. + +Master Requests +--------------- + +---%<------------------------------------------------------------------------- +M: "REQUEST" TAB <id> TAB <client-pid> TAB <client-id> TAB <cookie> +M: "USER" TAB <id> TAB <userid> TAB service=<service> [TAB <parameters>] +S: "NOTFOUND" TAB <id> +S: "FAIL" TAB <id> TAB <error message> +S: "USER" TAB <id> TAB <userid> [TAB <parameters>] +---%<------------------------------------------------------------------------- + +Master commands can request information about existing authentication request, +or about a specified user. + +USER command's service and parameters are the same as with AUTH client request. + +ID is a connection-specific unique request identifier. It must be a 32bit +number, so typically you'd just increment it by one. + +NOTFOUND reply means that the user wasn't found. (v1.x also reported unknown +request IDs with NOTFOUND.) + +FAIL reply means an internal error occurred. Usually either a configuration +mistake or temporary error caused by lost resource (eg. database down). Also +unknown request IDs are reported as FAILs (since v2.0). + +USER reply is sent if request succeeded. It can return parameters: + +uid=<uid>: + System user ID. + +gid=<gid>: + System group ID. + +home=<dir>: + Home directory. + +chroot=<dir>: + Chroot directory. + +mail=<data>: + Mail location. + +system_user=<user>: + System user name which can be used to get extra groups. This will probably + be replaced later by giving just multiple gid fields. + +(This file was created from the wiki on 2019-06-19 12:42) |